The defense sector and its vital supply chain partners have come under renewed threat from the Interlock Ransomware group, which has shifted its focus to high-value targets such as defense contractors and related manufacturing firms.
This pivot comes amid ongoing geopolitical tensions-such as the Russia-Ukraine conflict, Israel-Hamas hostilities, and strained Pakistan-India relations-which have amplified both kinetic and non-kinetic cyber operations globally.
Experts warn that such attacks not only threaten immediate victims but also reverberate throughout the broader defense ecosystem, impacting operational readiness and national security.
Double Extortion & Espionage
Recent intelligence reporting by Resecurity highlights how adversarial actors leverage global crises for ransomware campaigns, blurring the line between financially motivated cybercrime and state-sponsored espionage.
The latest confirmed Interlock campaign targeted National Defense Corporation (NDC) and subsidiaries including AMTEC, a manufacturer specializing in military explosives and ammunition.
Sensitive data exfiltrated in this breach was published on the group’s TOR-based Data Leak Site (DLS), exposing critical supply chain information to the public and potential adversaries.
Parent company National Presto Industries subsequently reported a cybersecurity incident to the SEC, underscoring the operational impact.
Interlock ransomware, publicly active since September 2024, has rapidly adapted its targeting strategies.
While initially opportunistic, targeting various sectors worldwide, the attack on a defense supply chain operator of AMTEC’s scale suggests a deliberate, intelligence-driven operation.
Analysts do not rule out the involvement of nation-state actors, given the value of defense sector data and the potential for ransomware to act as a smokescreen for espionage and data theft.
Such operations provide adversaries with insight into logistics, warehouse locations, key personnel, contract details, and more-information with obvious military and geopolitical value.
Supply Chain Exposure and Cascading Risks
The consequences of the Interlock breach are far-reaching. The leaked datasets reportedly contain references to top global defense enterprises, including Raytheon, SpaceX, Leonardo, Thales, and QinetiQ, as well as shipment and contract details concerning military exports, government clients, and production schedules.
The exposure of such data amplifies supply chain risk, as adversaries may exploit this intelligence to disrupt logistics, intercept shipments, or target downstream partners-many of whom are smaller firms lacking robust cybersecurity defenses.
The affected documents also include sensitive information on U.S. Department of Defense contracts, transportation codes, and key personnel, raising alarms about the potential compromise of classified projects and operational planning.
.webp)
The risk is not only of data theft but also of operational disruption, as ransomware attacks delay the delivery and development of essential military materiel, with possible effects on real-world conflict dynamics.
This incident underscores the urgent need for compliance with cybersecurity frameworks such as the Cybersecurity Maturity Model Certification (CMMC) and the NIST Ransomware Profile.
These standards provide a layered defense model, mandating access controls, data encryption, incident response procedures, and proactive supply chain risk management-all critical for preventing and mitigating ransomware threats.
Failure to comply not only risks business loss and reputational damage but can also trigger legal action under statutes like the False Claims Act.
Ransomware attacks of this scale highlight the intersection of cybercrime, geopolitical strategy, and national security risk.
Defense contractors must implement continuous threat monitoring, extend security controls to suppliers and partners, and invest in both defensive technologies and incident response preparedness to withstand the escalating threat landscape.
Indicators of Compromise (IOC)
| Indicator | Type | Description |
|---|---|---|
| 23.95.182[.]59 | IP address | Known C2/attack infrastructure |
| 195.201.21[.]34 | IP address | Known C2/attack infrastructure |
| 159.223.46[.]184 | IP address | Known C2/attack infrastructure |
| 23.227.203[.]162 | IP address | Known C2/attack infrastructure |
| 65.109.226[.]176 | IP address | Known C2/attack infrastructure |
| 65.38.120[.]47 | IP address | Known C2/attack infrastructure |
| 216.245.184[.]181 | IP address | Known C2/attack infrastructure |
| 212.237.217[.]182 | IP address | Known C2/attack infrastructure |
| 168.119.96[.]41 | IP address | Known C2/attack infrastructure |
| 216.245.184[.]170 | IP address | Known C2/attack infrastructure |
| 65.108.80[.]58 | IP address | Known C2/attack infrastructure |
| 84.200.24[.]41 | IP address | Known C2/attack infrastructure |
| 206.206.123[.]65 | IP address | Known C2/attack infrastructure |
| 49.12.102[.]206 | IP address | Known C2/attack infrastructure |
| 193.149.180[.]158 | IP address | Known C2/attack infrastructure |
| 85.239.52[.]252 | IP address | Known C2/attack infrastructure |
| 5.252.177[.]228 | IP address | Known C2/attack infrastructure |
| 80.87.206[.]189 | IP address | Known C2/attack infrastructure |
| 212.104.133[.]72 | IP address | Known C2/attack infrastructure |
| 140.82.14[.]117 | IP address | Known C2/attack infrastructure |
| 64.94.84[.]85 | IP address | Known C2/attack infrastructure |
| 49.12.69[.]80 | IP address | Known C2/attack infrastructure |
| 96.62.214[.]11 | IP address | Known C2/attack infrastructure |
| 177.136.225[.]153 | IP address | Known C2/attack infrastructure |
| 188.34.195[.]44 | IP address | Known C2/attack infrastructure |
| 45.61.136[.]202 | IP address | Known C2/attack infrastructure |
| ebhmkoohccl45qesdbvrjqtyro2hmhkmh6vkyfyjjzfllm3ix72aqaid[.]onion | TOR site | Data Leak Site (DLS) |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
